This month, the government approved Cyber Essentials scheme receives the biggest overhaul to date. The significant changes to the technical requirements in the scheme reflect the security challenges in today's digital world.
How does the Cyber Essentials scheme work?
The government approved scheme includes five technical controls that help protect organisations of all sizes from the majority of commodity cyber attacks. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security, it is now widely considered the minimum level of cyber security for all businesses.
Cyber Essentials works in the format of a verified self-assessment questionnaire. Organisations log onto a secure portal to answer a series of questions that address the scope of the assessment, their employees, devices and work location. They will also answer questions that address the five core controls, which include user access control, secure configuration, security update management, firewalls and routers, and malware protection.
A senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.
The preparation and process of getting certified to Cyber Essentials will give an organisation a clear picture of their cyber security and an opportunity to improve.
For organisations that require a higher level of assurance, Cyber Essentials Plus starts with the Cyber Essentials questionnaire but the technical controls are then physically audited to verify that they are in place. SMEs based in the UK with a turnover of less than £20 million who certify their whole organisation to Cyber Essentials are awarded free cyber security insurance.
The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the Government approved minimum level of cyber security in place and can be trusted with their data and business. Many contracts stipulate Cyber Essentials as a pre-requisite.
The scheme was introduced by the UK Government in 2014, as a way to help make the UK the safest place to do business. The environment that the scheme operates in has changed dramatically in the last seven years and, to reflect these changes, some of the technical control requirements were updated in January 2022 in line with recommended security updates. The pricing of Cyber Essentials has also changed and will adopt a new tiered structure based on organisation size.
While micro-organisations will continue to pay the current £300 assessment charge, small, medium and large organisations will pay a little more, on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations.
The main technical changes
In recent years, business cyber security has been further challenged by the wide adoption of cloud services and remote working, the move to home working and use of privately owned devices. Many of the Cyber Essentials technical requirement changes reflect this new environment.
Home working devices are in scope, but most home routers are not.
Anyone working from home for any amount of time is classified as a 'home worker'. The devices that home workers use to access organisational data and services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope for the assessment while Cyber Essentials firewall controls apply to the home worker's device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope for the assessment and must have the Cyber Essentials controls applied to it.
Why the change?
Home working or hybrid working (coming into the office for only some of the working week) is now normal practice for most businesses and is unlikely to change back in the short term. It is difficult to impose rules onto multiple employee's private home routers unless it is provided by the organisation.
All cloud services are in scope
Cloud services are to be fully integrated into the scheme. If an organisation's data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented on that service. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user actually implement the control depends on the type of cloud service but the user has a responsibility to check that the controls are put in place.
Why the change?
People commonly assume that cloud services are secure out of the box, but this is not the case. It is necessary for users to take responsibility for the services they use and spend time reading up and checking their cloud services and applying the Cyber Essentials controls where possible. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope for Cyber Essentials, but the new requirements now insist that organisations take responsibility for user access control and the secure configuration of their services which would include securely managing access to the different administration accounts and blocking accounts that they do not need. Where the cloud service is in charge of implementing one or more of the controls (eg security update management or anti-malware), the applicant organisation has the responsibility to seek evidence that this is done to the required standard.
Multi factor authentication (MFA) must be used for access to cloud services
As well as providing extra protection for passwords that are not protected by other technical controls, multi factor authentication should always be used to provide additional protection to administrator accounts and user accounts when connecting to cloud services.
No matter how an attacker acquires a password, if multi factor authentication is enabled on the account, it will act as a safeguard on the account.
The password element of the multi-factor authentication approach must have a password length of at least eight characters with no maximum length restrictions.
Why the change?
There has been an increasing number of attacks on cloud services, using techniques to steal or brute force a user's passwords to access their accounts. Thin clients are a type of very simple computer holding only a base operating system which are often used to connect to virtual desktops. These are confirmed as being in scope when they connect to organisational data or services.
Password-based and multi-factor authentication requirements
When using passwords, one of the following protections should be used to protect against brute-force password guessing:
• Using multi-factor authentication
• Throttling the rate of unsuccessful or guessed attempts.
• Locking accounts after no more than 10 unsuccessful attempts.
Technical controls are used to manage the quality of passwords. This will include one of the following:
• Using multi-factor authentication in conjunction with a password of at least eight characters, with no maximum length restrictions.
• A minimum password length of at least 12 characters, with no maximum length restrictions.
• A minimum password length of at least eight characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
People must be supported to choose unique passwords for their work accounts. New guidance has been created on how to form passwords. It is now recommended that three random words are used to create a password that is long, difficult to guess and unique. There must be an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.
What is a brute force attack?
Brute force attacks use trial and error to guess passwords and encryption keys. Powerful computers are used to target a login page where they try many different combinations of characters until the correct combination is found to crack the password or encryption key. Depending on the length and complexity of the password and the power of the computer used, cracking the password can take anywhere from a few seconds to many years. Modern computers have advanced in power and capability to the point where an eight-character alphanumeric password can be cracked in just over two hours.
All high and critical updates must be applied within 14 days and remove unsupported software.
All software on in scope devices must be:
• Licensed and supported
• Removed from devices when it becomes un-supported or removed from scope by using a defined 'sub-set' that prevents all traffic to/from the internet.
• Have automatic updates enabled where possible
• Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:
– The update fixes vulnerabilities described by the vendor as 'critical' or 'high risk'
– The update addresses vulnerabilities with a CVSS v3 score of 7 or above
– There are no details of the level of vulnerabilities the update fixes provide by the vendor
Why the change?
Previously, there was a set criteria that the vulnerabilities which had to be applied had to meet, which were laid out in the requirements. These criteria have now been dropped and organisations need to apply all high and critical updates on all their systems. This is raising the bar because organisations can no longer be selective about which patches they apply and leave themselves weak and vulnerable. The reason for these changes can be illustrated by a high-profile example this year. A vulnerability in the Microsoft Exchange System came out very publicly and was reported by numerous news outlets.
That attack went from being a complex state actor attack to a commodity attack within seven days. It was commoditised into a ransomware attack only 12 hours later. This proves that a high complexity attack can be commoditised in hours and for this reason, all high and critical updates, need to be applied within 14 days for Cyber Essentials,
Guidance on backing up
Backing up your data is not a technical requirement of Cyber Essentials because the scheme focuses on measures to prevent an attack as opposed to aspects to allow recovery after an attack. However, with the recognition of the vital importance of backup, there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.
How the changes will work
There will be a grace period of one year to allow organisations to make the changes for the following requirements: MFA for cloud services, thin clients and security update management.
Help and support
If you need help preparing your organisation for Cyber Essentials, there is a free online tool that helps you gauge your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. The Cyber Essentials Readiness Tool includes a series of guidance documents to help you understand the five controls and how they apply to your business.
Your answers to the readiness tool questionnaire will inform the tailored guidance and step by step action plan which will be presented to you when you reach the end of the readiness tool.
For in depth and bespoke support, contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licenced to certify against Cyber Essentials and are available to offer consulting services to help you achieve your certification.
IASME is an organisation based in the Malvern hills, Worcestershire that helps businesses improve their cyber security, risk management and counter fraud, through an effective and accessible range of certifications. From April 1 2020, IASME became the National Cyber Security Centre’s Cyber Essentials Partner, responsible for the delivery of the scheme.
